Adding the action
If you’ve read my other fail2ban guides you already know I’m using linuxservers letsencrypt container. So there won’t be any walkthrough of installing fail2ban. I will only go through the cloudflare configuration.
Go to your appdata location and find the
Create a new file called
cloudflare-apiv4.confand add the following:
The unban curl command from https://guides.wp-bullet.com/integrate-fail2ban-cloudflare-api-v4-guide/ did not work for me but changing it to what this user on serverfault shared did https://serverfault.com/a/912547
Use the “Global API Key“
Next is updating or adding your jails in the jail.local file. Go to your appdata location
appdata/letsencrypt/fail2ban/ and edit the file called jail.local.
The only thing you really need to add is the action fail2ban will run after it has banned an IP.
action = cloudflare-apiv4 in the jails you want to use it on. For me that would be all the jails.
[nginx-http-auth] enabled = true filter = nginx-http-auth action = cloudflare-apiv4 port = http,https logpath = /config/log/nginx/error.log ignoreip = 192.168.1.0/24
[organizrv2-auth] enabled = true port = http,https filter = organizrv2-auth action = cloudflare-apiv4 logpath = /organizrv2/organizrLoginLog.json ignoreip = 192.168.1.0/24
Specifying which site the ban works on
If you have several sites on your Cloudflare account and you want to specify which one the action should work on, you need to change the URL on the actionban line.
Instead of user it needs to say /zones/ and then your zone ID.
actionban = curl -s -X POST "https://api.cloudflare.com/client/v4/zones/YOUR-CLOUDFLARE-ZONE-ID/firewall/access_rules/rules" \
And the same on the actionunban line:
actionunban = curl -s -X DELETE "https://api.cloudflare.com/client/v4/zones/YOUR-CLOUDFLARE-ZONE-ID/firewall/access_rules/rules/$( \
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/YOUR-CLOUDFLARE-ZONE-ID/firewall/access_rules/rules?mode=block&configuration_target=ip&configuration_value=188.8.131.52&page=1&per_page=1&match=all" \
Your zone ID can be found on the overview page on Cloudflare.
I recommend adding a whitelist on your WAN IP so you don’t accidently ban yourself!
Next up is configuring nginx so that it won’t just ban the Cloudflare CDN IP but the actual IP of the visitor.
Tronyx 😘 Thank you Tronyx for creating the first draft of the guide.